UNLIMITED FREE
ACCESS TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Select Your Free Newsletters

Industry Newsletters

Select Your Free Product Alerts

Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

ISO/IEC TR 20004

Information technology - Security techniques - Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045

active, Most Current
Buy Now
Organization: ISO
Publication Date: 15 December 2015
Status: active
Page Count: 24
ICS Code (Information coding): 35.040
scope:

This Technical Report refines the AVA_VAN assurance family activities defined in ISO/IEC 18045 and provides more specific guidance on the identification, selection and assessment of relevant potential vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation. This Technical Report leverages publicly available information security resources to support the method of scoping and implementing ISO/IEC 18045 vulnerability analysis activities. The Technical Report currently uses the common weakness enumeration (CWE) and the common attack pattern enumeration and classification (CAPEC), but does not preclude the use of any other appropriate resources. Furthermore, this Technical Report is not meant to address all possible vulnerability analysis methods, including those that fall outside the scope of the activities outlined in ISO/IEC 18045.

This Technical Report does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.

Document History

ISO/IEC TR 20004
December 15, 2015
Information technology - Security techniques - Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045
This Technical Report refines the AVA_VAN assurance family activities defined in ISO/IEC 18045 and provides more specific guidance on the identification, selection and assessment of relevant...
ISO/IEC TR 20004
August 15, 2012
Information technology - Security techniques - Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045
This Technical Report refines the AVA_VAN assurance family activities defined in ISO/IEC 18045:2008 and provides more specific guidance on the identification, selection and assessment of relevant...

References

This document references:
ISO/IEC 15408-1 - Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 1: Introduction and general model
Published by ISO on August 1, 2022
This document establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is...
This document references:
ISO/IEC 15026-2 - Systems and software engineering - Systems and software assurance - Part 2: Assurance case
Published by ISO on February 15, 2011
This part of ISO/IEC 15026 specifies minimum requirements for the structure and contents of an assurance case. An assurance case includes a top-level claim for a property of a system or product (or...
This document references:
ISO/IEC 15408-1 - Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 1: Introduction and general model
Published by ISO on August 1, 2022
This document establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is...
This document references:
ISO/IEC 15408-2 - Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional components
Published by ISO on August 15, 2008
This part of ISO/IEC 15408 defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that...
This document references:
ISO/IEC 15408-3 - Information technology - Security techniques - Evaluation criteria for IT security - Part 3: Security assurance components
Published by ISO on August 15, 2008
This part of ISO/IEC 15408 defines the assurance requirements of ISO/IEC 15408. It includes the evaluation assurance levels (EALs) that define a scale for measuring assurance for component TOEs, the...
This document references:
ISO/IEC 18045 - Information technology - Security techniques - Methodology for IT security evaluation
Published by ISO on August 15, 2008
A description is not available for this item.
This document is referenced by:
ISO/IEC TS 20540 - Information technology - Security techniques - Testing cryptographic modules in their operational environment
Published by ISO on May 1, 2018
This document provides recommendations and checklists which can be used to support the specification and operational testing of cryptographic modules in their operational environment within an...
This document is referenced by:
BS ISO/IEC 19896-3 - IT security techniques — Competence requirements for information security testers and evaluators Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluators
Published by BSI on August 31, 2018
A description is not available for this item.
This document is referenced by:
BS PD ISO/IEC TS 20540 - Information technology — Security techniques — Testing cryptographic modules in their operational environment
Published by BSI on June 30, 2018
A description is not available for this item.
This document is referenced by:
CSA ISO/IEC TS 20540 - Information technology - Security techniques - Testing cryptographic modules in their operational environment
Published by CSA on January 1, 2019
This document provides recommendations and checklists which can be used to support the specification and operational testing of cryptographic modules in their operational environment within an...
This document is referenced by:
CSA ISO/IEC 19896-3 - IT security techniques — Competence requirements for information security testers and evaluators — Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluators
Published by CSA on January 1, 2020
This document provides the specialized requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and ISO/IEC...
View Less
View All
Advertisement